CVE Number:         N/A (not assigned)
Title:              CakePHP AssetDispatcher Local File Inclusion Vulnerability
Affected Software:  Confirmed on CakePHP v2.3.7, v2.2.8
                    (prior versions may also be affected)
Credit:             Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
Issue Status:       v2.3.8 & 2.2.9 was released which fixes this vulnerability

Overview:
  CakePHP is an open-source web application framework for PHP.
  CakePHP (v2.3.7, 2.2.8 and possibly prior versions) is vulnerable to
  LFI (Local File Inclusion) attack. Remote attacker can abuse this
  vulnerability to steal files on the server or execute PHP commands,
  if the target application has one or more themes or plugins. It is
  caused by insufficient input validation in AssetDispatcher class.

Details:
  CakePHP's AssetDispatcher class serves asset resources (such as image
  files) stored under individual theme or plugin directory. This class
  determines requested resource's path based on PATH_INFO of request URI.

  To prevent attacks, this class validates PATH_INFO and stops loading
  requested resource if PATH_INFO contains ".." sequence. But after the
  validation step, PATH_INFO will be urldecoded in _getAssetFile(). This
  allows attackers to bypass ".." check by urlencoded dot chars (%2e).

  I present two examples of attack URI. In both examples, Cake serves the
  content of /etc/passwd in HTTP response body.

  UR1: http://victim-host/cakephp-2.3.7/theme/Test1/%2e.//%2e.//%2e.//%2e.
    //%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd

  Successful attack requires one or more themes on the target server.
  In the example above, the target application must have "Test1" theme.
  This restriction is due to file_exists() check in beforeDispatch().

  URL2: http://victim-host/cakephp-2.3.7/DebugKit/%2e.//%2e.//%2e.//%2e.//
    %2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd

  Second example is almost same as first one. The difference is that
  second one requires one or more Cake plugins with webroot directory.
  The plugins must be actually enabled on the target server.

  The requested resource is served via include statement, so that PHP
  code execution by LFI is possible if the target Cake application
  allows uploading files such as image, text and so on.

Timeline:
  2013/07/16  Reported to CakePHP Security ML
  2013/07/18  Vender announced v2.3.8 & 2.2.9
  2013/08/13  Disclosure of this advisory

Recommendation:
  Upgrade to the latest version.

Reference:
  http://bakery.cakephp.org/articles/markstory/2013/07/18/cakephp_2_3_8_2_2_9_released